Protection Cross-site Scripting (XSS) Attacks

Cross-site Scripting (XSS) attacks enable an attacker to be able to hijack information from visitors of your site by injecting client-side scripting into your Web application. For example say you're hosting a comments form, allowing site users to come in and enter in information directly via a Web form, and then output the data to the browser in real time. This type of functionality is common in guest books, and forum applications One problem with it though is if you don't do some validation on

Top Ten Security Tips

There are many ways to get into trouble when it comes to security. You can trust all code that runs on your network, give any user access to important files, and never bother to check that code on your machine has not changed. You can run without virus protection software, not build security into your own code, and give too many privileges to too many accounts. You can even use a number of built-in functions carelessly enough to allow break-ins, and you can leave server ports open and unmonitore

.NET Remoting Security Solution

Learn about Microsoft.Samples.Security.SSPI, a stand-alone sample application for implementing a security solution across a remoting boundary. It provides authentication, signing, and encryption services that can be used across a range of communication protocols including sockets, RPC, and so on.

Code Access Security

Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich clien

Role-Based Security with ASP.NET

In my previous article, I demonstrated how authentication providers can be used to manage the process of authenticating users. I also showed that classes and methods exist within the .NET Framework that can be used to inspect the basic attributes of a current user. In this article, I will extend upon that base, by showing how the .NET Framework provides support for the implementation of role based security. Before we start, let's take a quick look at what roles are, and how they might be comm

Securing directories with Forms Authentication

ASP.NET has three types of authentication services that can be activated for an application: Windows, Forms, and Passport Authentication (and also None which is the default). Windows authentication authorizes requests against NT users or groups. Passport authenticates against the Passport database. And Forms authentication redirects unauthenticated users to a login page where you can secure a directory in your application much like .htaccess. Forms authentication performs all the necessary cooki

Security for Downloaded Code

Two months ago in Death of the Browser?, I talked about some Microsoft .NET capabilities that I thought might cause a resurgence of interest in smart client programming. The example in that column allowed downloading and execution of Windows Forms stored on a Web server. Unfortunately, that column skipped over one important subject—security. After discussing the download process and issues such as versioning, there just wasn't enough room in the column to discuss security. However, I think

ASP .NET Security Issues

This month I'm starting a series of columns dedicated to security in the Microsoft® .NET Framework, and I figured that the best place to start would be one of its most popular features, ASP .NET. Security versus Ease of Access There are lots of different types of Web sites with varying security needs. Some Web sites (search engines, for example) collect no information about their users, and publish data that is widely available. These sites don't have much to lose by having a rather open se

Encrypting QueryStrings with .NET

Once upon a time in the tech world, obscurity was security - this being most true in the early years of the industry, when there were gaping holes in privacy policies and confidential client information was bandied about from site to site without a care as to who actually could read the information. With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the most innocuous user data. If you ever need to 'piggy-back' information from one web page to another,

.NET Security in C#

Since my company does a lot of .NET consultancy, one of our recent projects required that file i/o access be denied if the user running the application did not have administrator privileges. A lot has been written about the command line utility caspol.exe, however, this can seem a little over the top and quite complex when considering code groups, policy levels and zone management. I basically wanted to programmatically check whether the user had the relevant permissions by accessing their wi

Hassle-free Cryptography In .NET

Cryptography is a wonderful thing to have in your applications; Particularly if you’re writing anything for the government or that has to adhere to government standards. To accomplish this in the past, you had to go through quite a bit of coding by hand, or use a security SDK that proved elusive to find at times. That aside, what is present in the .NET framework is nothing short of a Godsend; Crypto that anyone can use with no hassle. If you take the time to type “System.Security.Cryptogr

Protecting IL Code from Unauthorised Disassembling

Microsoft .NET proved a mechanism where the code written in VB.NET, C# or any CLS compliant languages to generate MSIL (Microsoft Intermediate Language)code which targets the CLR and executes. This is an excellent mechanism to abstract the high level code from the underlying hardware. What gets generated from the source file is a PE (Portable Executable) which will run on the CLR. Despite the advantages it offers, this mechanism faces a severe drawback of the MSIL which can get decompiled t

Understanding How Assert Effects Security

Moving beyond the small stand-alone applications that are content functioning with default permissions, there may be times when your program needs to access resources that you prefer to restrict other external assemblies from having direct access to. How you restrict access to your library modules and resources requires that you understand the pros and cons in the security process used. What is Assert? Assert is a security action that is evaluated at run time. Code Access Permission classe

Make managed code work with .NET's CAS

One of the great benefits of .NET is that you can easily download and execute code on multiple workstations to enable the creation of smart client applications. Although this convenient feature can make your life easier, it can also increase security problems. However, the .NET Framework offers a solution in code access security (CAS). CAS enables the .NET Framework to go beyond simple identity-based security and allows administrators to configure different levels of trust based on attributes of

Writing Secure Code using CSharp

Mobile Code, which come from various sources like e-mail, documents and downloaded code over the Internet are the main cause for the damage, destroy or copy private data. So to help protect computer systems from malicious mobile code and to provide a way to allow mobile code to run safely, the .NET Framework provides a security mechanism called code access security . Code access security is a mechanism that controls the access code has to protected resources and operations. NET Framework, co

Role-based Security

Security is important. Most developers don't like security. It requires a lot of thought. It requires study. Most developers would rather just "write code", and leave security to "somebody else". Unfortunately, if you are a developer and your job is to produce an application, then guess who that "somebody else" usually is? It's YOU. Even behemoth Microsoft got the message loud and clear. They've made security the single most important thing, above everything else. Wanna know why .NET Server, whi

Role-based Security with Forms Authentication

Forms Authentication in ASP.NET can be a powerful feature. With very little code and effort, you can have a simple authentication system that is platform-agnostic. If your needs are more complex, however, and require more efficient controls over assets, you need the flexibility of groups. Windows Authentication gives you this flexibility, but it is not compatible with anything but Internet Explorer since it uses NTLM, Microsoft's proprietary authentication system. Now you must choose how to mana

Secure your .NET smart client apps with CAS

The Microsoft Windows .NET Framework has raised the bar for development in the era of smart client and XML Web services applications. The inclusion of a robust and object-oriented runtime engine, the Common Language Runtime (CLR), coupled with a comprehensive set of class libraries, allows developers to more easily create smart client applications that download and execute locally on a user’s PC but that are “no-touch” in terms of deployment, installation, and updates. Many of these concep

Security SmackDown

We released a HUGE .NET project, all crafted with C#, SQL Server and ASP.NET. Problems? You bet… but nothing at all like releasing in ASP 3.0 – in fact, given the circumstances, it was a big success. Microsoft has gone out of their way to provide some really great tools and documentation to make the launch of your .NET application as smooth as possible. Given the history of DLL HELL and trying to get dynamic libraries registered and running in MTS Services… well, you get the point. I

Security in ASP.NET

This article shows you how security works in ASP.NET as well as the different ways of doing it; there is no code just a whole bunch of flow charts.